Multi-Modal Model for Embedding Network and Audit Data for IoT Anomaly Detection

Current IoT infrastructures generate heterogeneous telemetry and primarily include network (inter-host information) and audit data (intra-host information). Most intrusion detection approaches use network or host information but not both. Specific to resource-constrained environments, like Internet of Things (IoT) systems, there remains a lack of anomaly detection research into multimodal techniques. We propose a multimodal fusion approach that combines network and host telemetry data to improve intrusion detection accuracy while maintaining computational efficiency. To address resource constraints, our approach applies dimensionality reduction to reduce memory and computational requirements. We evaluated our approach on a suitable IoT dataset with network and host (Windows 7 and 10) features already extracted. Our experimental evaluation demonstrates two critical findings. First, multi-modal fusion significantly improved detection accuracy across all evaluated models. The 1D-CNN model improved by 17.60 percentage points from 81.72% to 99.32%, while tree ensembles (XGBoost and Random Forest) achieved ideal accuracy. Unsupervised methods also benefited substantially, with Agglomerative Clustering increasing from 0.2173 to 0.6304 Adjusted Rand Index. Second, we demonstrate that the fused feature space can be dimensionally reduced to less than half the features while maintaining comparable accuracy performance, reducing computational requirements. We found that PCA performed as well as UMAP regarding accuracy but was considerably faster (54x speedup) at reducing the feature space. The proposed approach demonstrates robustness to class imbalance and provides practical deployment guidance for resource constrained IoT environments, with comprehensive benchmarking across over 15 model architectures including traditional machine learning, deep learning, and transformer-based approaches.